search

solo-io / gloo

The Cloud-Native API Gateway and AI Gateway
https://docs.solo.io/
Apache License 2.0
4.1k stars 446 forks source link

OIDC - API for admin to revoke user session #10277

Open mgolding5010 opened 1 week ago

mgolding5010 commented 1 week ago

Gloo Edge Product

Enterprise

Gloo Edge Version

1.17.2

Is your feature request related to a problem? Please describe.

It is possible to revoke a user session in OP but accessToken may still be valid. At least when extAuth and redis is used, the redis key can also be deleted and the session is ended, forcing the user to log in again. Without Redis, client / browser can continue to gain access until the accessToken is invalid but extAuth does not have control of this.

Describe the solution you'd like

Allow an Administrator to hit the logout endopoint for a user to log them out (i.e. logout of OP and remove redie key used by extAuth). NB: Admin needs mechanism to know which session key relates to which user. NB: Customer is not currently using gloo portal UI. Csutomer has requested an API for this.

Describe alternatives you've considered

Customer is prepared to write the functionality themself if solo aren't able to provide a solution.

Additional Context

No response

soloio-bot commented 6 days ago

Zendesk ticket #4771 has been linked to this issue.

anessi commented 6 days ago

Also see https://github.com/solo-io/gloo/issues/4446 for the initial request.